Trust Your Fellow Man, But Not A Tired Store Associate

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Fast on the heels of U.K. compromised POS devices comes word from Visa of a list of PIN encryption devices (PEDs) that are known to have been compromised, including some that had previously been certified as PCI compliant.

These PEDs were altered by the bad guys and used in skimming attacks to capture magnetic stripe and PIN data. What is possibly disturbing about the Visa bulletin is that several of the devices were tested and approved for new installation. That means the retail CIO's responsibility does not stop with making sure they purchase compliant devices. Acquirers and retailers also need to ensure that devices are not compromised after they are installed.

The list of compromised devices supports Visa's July 1 sunset date for older and untested PEDs: For example, four of the seven compromised brands (actually more, if you include all the different model numbers) need to be replaced by this deadline. The remaining three models on the list were tested and passed, yet they somehow were compromised in spite of the certification.

In many cases, the retailer's PEDs were stolen and replaced with compromised ones. Device switching can happen very quickly (often in under one minute), and it usually takes place after business hours.

Visa lists several best practices for retailers to monitor their POS PEDs. Although some of them seem obscure (e.g., weighing devices to see if they vary from the manufacturer's specifications, meaning somebody may have added a bugging device), others make good business sense and are worth highlighting.

You can avoid many problems if you continuously monitor and authenticate your POS devices. Your system will alert you or the store manager if any device is replaced with an unauthorized device or even unplugged, however briefly. Such an alert should trigger an immediate inspection and replacement of the suspect device.

I am not so sure I would depend solely on store managers and POS staff to monitor POS devices for signs of tampering. They can be the first to notice something different about a PIN pad, like a new location or altered appearance. If they do, they should be trained to report it immediately. It seems to me, however, these are also very busy people. Therefore, I prefer to rely on automated authentication and monitoring to detect rogue or suspect devices.

When I start a PCI assessment, I usually ask for an inventory of POS equipment. Sometimes the client cannot comply, because they have no idea how many POS terminals or PEDs they have or where they are located. This embarrassing situation is complicated when the client also keeps a supply of replacement devices or "floaters."

You need to know immediately if any device disappears, and you particularly want to know if any disappear and mysteriously reappear later. It can indicate tampering or unauthorized use of the device, even at another merchant. When I was in the payments business, I saw this situation, and it led to what we called "laundernet."

Any social engineering penetration testers worth their salt have a supply of uniforms that are sure to get them access to all sorts of sensitive equipment, from POS devices to back-office servers. Store managers need to check IDs (although this may not help much) and confirm unexpected service calls with the company. Above all, they should escort technicians continuously and observe their actions from the time they arrive until they leave.

I personally had an experience like this when a power company repairman rang our doorbell. He wanted to know if we wanted a new, intelligent gas meter. I wasn't expecting anyone and certainly didn't call, so I asked for his ID and checked out the markings on his truck. I never left his side as he swapped out the meter. At the end, he thanked me and told me he wished everybody acted as I did--it would keep him from being falsely accused of breaking or stealing things.

Growing up near Chicago, I remember hearing public service announcements on television saying, "It is 10 o'clock. Do you know where your children are?" Maybe we need to change that message to say, "Do you know where your POS devices are?"

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].